Wordpress + postfix + unsolicited emails being sent even if the email account wasn't created

Question

I run a blog on wordpress. Recently I received a abuse complaints from the server which when verified returned this:

============================================================ 
Received: from [192.241.188.154] by usfamily.net 
(USFamily MTA v5/:PG5vcm1hX2NoYW1iZXJzQG1yaW5hbHB1cm9oaXQuY29tPjxkamtpbm5leUB1c2ZhbWlseS5uZXQ_)
with SMTP id <20140301115044001084500013> for <djkinney@usfamily.net>; 
Sat, 01 Mar 2014 11:50:44 -0600 (CST) 
(envelope-from norma_chambers@myblog.com, notifiable emailnetwork 192.241.188.) 
Received: by myprimarydomain.com (Postfix, from userid 498) 
id 1C5EE1305AE; Sat, 1 Mar 2014 17:12:39 +0000 (UTC) 
To: djkinney@usfamily.net 
Subject: FW: Good day 
X-PHP-Originating-Script: 498:sslnEn.php 
From: "Norma Chambers" <norma_chambers@myblog.com> 
Reply-To: "Norma Chambers" <norma_chambers@myblog.com> 
X-Priority: 3 (Normal) 
MIME-Version: 1.0 
Content-Type: text/html; charset="iso-8859-1" 
Message-Id: <20140301171239.1C5EE1305AE@myblog.com> 
Date: Sat, 1 Mar 2014 17:12:39 +0000 (UTC) 
Content-Transfer-Encoding: quoted-printable

<div> 
<p> 
Top Meds Website good deal <a href=3D"http://dumantarim.com/modules/mod_= 
araticlhess/rlf.html">http://dumantarim.com/modules/mod_araticlhess/rlf.h= 
tml</a> 
</p> 
</div>

============================================================

Now I assumed that it meant this: Several unsolicited emails were sent from the id norma_chambers@myblog.com. If my assumption is correct, this email id should have existed on the VPS AND user had access to the email account to send mails. Does it really means that my server (VPS) was hacked? I am not actually using any contact form on my blog as such but this may be caused by any plugin etc.??? Not sure :(

Am I on the correct path to trace this problem? Please shed some light.

Answer 1

You haven't provided much information, but it sounds like your WordPress installation has been compromised and a spam-sending script has been uploaded and used.

The "from" address on the email doesn't necessarily mean that the account/address exists on your server, as almost all email headers can be faked. The user-id is most likely that of your web-server user, which was the system user that was used to execute the intruder's script - you can check /etc/passwd to be sure.

A detailed post on how to recover from a hack is here. At the very least, you should stop Apache on your server and scan your WordPress installation for suspicious failed, and change your account passwords.